Az backup admin with contributor access on Azure resouceguard can disable MUA

Question

https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization

As per the above Microsoft documentation on configuring MUA on Az resource guard, it says that initially backup admin should have reader role on resource guard and then should request contributor access on azure resource guard to perform critical operation on azure recovery vault.

But then if grant contributor access to Backup admin on resource guard, he can completely disable the MUA protection option on the recovery vault. So the purpose of protecting critical operations on recovery vault is defeated.

Actually upon receiving the contributor access on resource guard, the backup admin should still not be able to disable MUA and this permission should only rest with subscription owner or global admin.

Please guide

Answer 1

@MS Techie Thank you for posting your question on Microsoft Q&A community forum. Happy to assist!

This is true- disabling MUA, currently, is like any other critical operation can be performed with the contributor permissions on the resource guard. We are working on some other capabilities that can help address concerns like these where we can put tighter controls, however, there are no immediate plans around this for MUA. Thanks for bringing this up, we will take note of this.

Update:

If you're wanting to deny using policy for azure subscription owner from disabling MUA. Then this is not possible as of today. Because there is a bit of pre-requisite work needed from our end (making MUA settings accessible by Azure Policy) in order to enable customers to write a deny policy for disabling MUA. This is on our roadmap, and we’ll be able to get back on more details around timelines.

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it